Reliably flushing individual tables in nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On my firewall machines the nft ruleset contains tables I created
(using a systemd unit similar to Debian's nftables.service unit) and
also tables created by Tailscale.

When reloading my own rules, I'd like to be able to use 'nft --check'
to validate the candidate rules before attempting to apply them, in
case a failed application would leave the firewall more open than it
should be. However, I can't do that at the moment because '--check'
assumes that the commands supplied to it are being applied to an
'empty' environment, or something similar to that.

Normally this would be solved by including 'flush ruleset' in the
rules file passed to '--check', but I can't do that because it would
flush the Tailscale tables too.

I've tried using 'flush table <table>' commands in the rules file, and
that works as long as the rules have been previously loaded (in tables
with the same names). It fails at system startup though, because 'nft
flush table <table>' fails with an error if the named table does not
exist.

I've got an ugly workaround at the moment but I'd like to avoid that.
I think the simplest solution here would be to enhance 'nft flush
table <table>' to not report an error if the table does not exist,
since in the end that was almost the same goal as the command itself.
Does this seem reasonable?



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux